Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp197391lqp; Wed, 20 Mar 2024 19:39:30 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUkc2991BtwTrI+TjWIK8XU7cKeW4znRD/sWKu96SDngKxHjGOpBWGS20CSEEupQmumyWqnpZdCQj0G59rgsvFGaosv1JzVbThwld5LNg== X-Google-Smtp-Source: AGHT+IEc5zM9MUw3Oj42mItRVbLm3tPRbFo+XdW4cxoX6Km3Rki2D8go8fCux9GSGNsLMKQZ4xSN X-Received: by 2002:a05:6358:5e87:b0:17f:3f2b:6a55 with SMTP id z7-20020a0563585e8700b0017f3f2b6a55mr2857rwn.22.1710988770184; Wed, 20 Mar 2024 19:39:30 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710988770; cv=pass; d=google.com; s=arc-20160816; b=g0f1WrAPvjvTRzdxoris/c+KCfT48iZyhb5HJgf52ITni2V3SnXq9kPBzJztWdicpC V7cvFiHMTnpPZfKFSpfm+zGyhURatoggmGcHhN2ICMi9ucXTUKoOJGZVsy+KiHMEfW1g UWuuaFQfbF581X1sUXqPnMoZ1/+8TUYRL/SgccARKIYg3wRKyUaHrE/SflQP3ackZEEm UFvPS/FSK21ADuOL74Lwc15GitlFswWi5UdBuc1H7n7dcB5Lpf6vM8Y4xFDLLdaxpgMn YcuQTZ1ryfxNLjrJRrRPr3FwIEtjz6Biqe2zynNwn4TyNsf2NAJFn8xeN2hVO2IhOM4t VzHQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date :subject:cc:to:from:message-id:dkim-signature; bh=e17/HbRHtDX40mFVgDNLzqWxNBHtg3feQtuFXQYcyoQ=; fh=l+QwPKIEtFMUPeP9FOXvduCCKmjdMTB2N5rzTDbhcho=; b=DHSBlIkuMhATTmJV1hJvAMplX2DatwABavN7LdOhvlIzYidGztnnd56cnqLzbAnOWd FdCgtJH7L9TG61Kaqm48xmHWa57R3NG20+weg5gRSbsMeZJnQ97WwdXQW01RuQ4d3Yjm VNX3r6eon6+cAiSCTjwlMWtCtcQH0fuop1S86bluXBkYN5AX1wJ+it2ce9tDL3wMm5aA O/zQxZ0nHjLIT2cg8OTOncVto4YpjzkEpQ/E8ePLVs9Vd1mbsc7FV/dv6qiWWS3n1WQ3 NA6xZtKGnBdXvfape8JH8ymP+h5insG4scKmcx964NdkA1Vg0dOlKDeQbjmkIkkuIFHf PjYA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=g5yhSfSV; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-109596-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-109596-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id m11-20020a656a0b000000b005cec90b9a98si15022190pgu.835.2024.03.20.19.39.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 19:39:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-109596-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=g5yhSfSV; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-109596-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-109596-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D1610282431 for ; Thu, 21 Mar 2024 02:39:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2E46B2900; Thu, 21 Mar 2024 02:39:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="g5yhSfSV" Received: from out162-62-57-49.mail.qq.com (out162-62-57-49.mail.qq.com [162.62.57.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B9728365 for ; Thu, 21 Mar 2024 02:39:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=162.62.57.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710988763; cv=none; b=o8+9AfD8l1gh6sGDkFrt+vtQpxpunV66H3LtxmY8YZy0wvBWmV1nAxitvivf150ueoFPkEv7T0T3PPtjsCqBehlOjcud+DQtoaHe067eiHLhms7vTiJu5yvZbfSEtDX4ajwfxfyPNpiG97Yw+A41UE7x6OH7Gz5s3bxUaoEK9Yc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710988763; c=relaxed/simple; bh=XDBXDzscTceh6iGJFO3Wkn7NTtEpOzbh5e5PC6PUMD8=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=RLpAKLrzD/AIKWCjvmZ7ufqrRn9wrEC0HTr8NMiY9yUSJ8DoLz1ziKhoLFzvjg0X/vdshMbgD3iewsB4CtmtrCjHX7dowVZ36y8wkVl/djlMcEFJeERFc28tcAMC+dvI7vvbn9z2gVTVjOyCVCLelfEV4t0hjvJywb9l66V9ccg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=g5yhSfSV; arc=none smtp.client-ip=162.62.57.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1710988756; bh=e17/HbRHtDX40mFVgDNLzqWxNBHtg3feQtuFXQYcyoQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=g5yhSfSV5YhlztVdkUH/WYdK/KwB28CaktcHEEQIrZMvxdj8Os65VnsO4SiSJUWT+ pwjAL7cGJfv9U1oFNy9fxoPUjp1FszbaicYJOmm2Pb/MctzlGQiXJjufVqdu67IWzl u7shUBiW/HZ9SaXe0j4yvZwVMs32BoaSGSkniEPk= Received: from pek-lxu-l1.wrs.com ([111.198.228.140]) by newxmesmtplogicsvrszb9-1.qq.com (NewEsmtp) with SMTP id 9CEBD8F0; Thu, 21 Mar 2024 10:39:14 +0800 X-QQ-mid: xmsmtpt1710988754t89d5x5wx Message-ID: X-QQ-XMAILINFO: MPEorwW6cFo95aJmjSOzmykdZCLOWgeU6aY4HFsfjM9UnN+b/YRMYfXOkQNJ13 6tdhSjIZgo20WPqJjAtUcSa2cHXliPRhSGIHR7TMRQEiFcsNtbWsjpSdvb+m3J4wJR83SxTwxX9Z /e2Sq50nj1mkKFeyqIs6VQnRotO9AfjCPyA3CLKrj2w2M2yIsXnx6hApZNS7GltDUTj25ZasEPbp BIAn4JL5jabXorS/zEyNevp3mcsWA1wzXqE0XSrLYSlZ9p7S1nQL0YulukCARKpKqGNlY5A0cwvR HijXUP4WpoUmV16skMU0nxy/r3c3HlGGe5YrYeCmbVs5MdQJDISlu+xm9qhqLdXnDGTejaeVe6Hb M9Bj3oN4UPnPEcSV5seaCsGFKOviDx1scVuNMrMsMGvofDjTYoDryWIc5BENjAVVrUbuFLVz/zfN 3y2+IvoxRfNdM968Ugjq+HrW6XYVD2VvbQCObTua8Dgm+45JwCKpqOASDifpoiYCkSjx0nSHffNX UglzriFg9Nzz1rbp8fjkZemH/M6Xo+07ynHHmluiYPhEZG1/2/GBL0b3m4WDe2zSep6zBhf6zboC 0Eu/mPsEPHCC9hDOb9ieXJ4r8TqDHu8i2saE4FCBH9ezTTtG+r5mijQTuXq69csHcivkp9LWt29n xzcmod9tTyc9xPodNsYTWrsL11ODEUm26WGWHksIGcWqoNbuW+ArfIjI7te0kWRIz4/UFhH1+wBH jsOjOEdZEd6SBoe3MhrFAPF6ZkvDpkuLaSUjFY0PQ7i/kd5+/5ltZUIg8d3hI3/cY0Uk0IzweZHR 7QFYA1e1TSOnW30/QU8MeMSkOIrMlooWzHw3dhuoULYXDi9BUrCgPJB7qXGBugE0ZeCoqbBJNaEV K3Se+A2HRh2f9u8l0nxni6jPJ+IgGhj6+oThyn7XwrLcohXUI5TFti+tB6RDaAIHUVi3C99rqcR6 iNUJC3luGdi2WSXzyWLDvYlan/e9f90cetfhwsI6ML3DpI2a0iig== X-QQ-XMRINFO: Nq+8W0+stu50PRdwbJxPCL0= From: Edward Adam Davis To: syzbot+93cbd5fbb85814306ba1@syzkaller.appspotmail.com Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send Date: Thu, 21 Mar 2024 10:39:15 +0800 X-OQ-MSGID: <20240321023914.1849391-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <0000000000004e41110614187d35@google.com> References: <0000000000004e41110614187d35@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit please test oob in htc_issue_send #syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index eb631fd3336d..9edc72601bf2 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -295,6 +295,10 @@ int htc_connect_service(struct htc_target *target, } *conn_rsp_epid = target->conn_rsp_epid; + if (*conn_rsp_epid < 0 || *conn_rsp_epid > ENDPOINT_MAX) { + ret = -EINVAL; + goto err; + } return 0; err: kfree_skb(skb);